We’ve upgraded our Apache Web server software to fix the security bug CVE-2016-8743.
Customers should not notice any changes, with one exception: The update makes Apache refuse to serve a page if you’re using some sort of code that outputs an invalid HTTP header. It would previously just ignore the header.
For example, this PHP script line has a bug, which is that it includes an extra space after “Expires”:
header ("Expires : Thu, 01 Dec 1994 16:00:00 GMT");
The web server software would previously ignore that problem, but now it leads to this in the error logs:
Response header name 'Expires ' contains invalid characters, aborting request
Similarly, this code contains a space in the words “Last Modified”:
header("Last Modified: $time");
Which causes this:
Response header name 'Last Modified' contains invalid characters, aborting request
The correct header name in that example should be Last-Modified, with a hyphen. Spaces are never allowed in HTTP headers.
If anything related to this happens to you, let us know and we can help you track down and fix it.